GCP GCS bucket made public
Description
AlphaSOC detected that a Google Cloud Storage (GCS) bucket was configured with
public access. This occurs when bucket IAM policies are modified to include
allUsers or allAuthenticatedUsers principals, making the bucket contents
accessible to anyone on the internet.
Impact
Public GCS buckets expose data to unauthorized access from any user on the internet. This can lead to data breaches, intellectual property theft, and exposure of sensitive information such as credentials, personal data, or proprietary business information. Attackers actively scan for public buckets to discover and exfiltrate data.
Severity
| Severity | Condition |
|---|---|
Low | GCP GCS bucket made public |
Investigation and Remediation
Review GCP audit logs for the storage.buckets.setIamPolicy action to identify
who made the bucket public and which bucket was affected. Verify whether the
public access configuration was intentional.
If unauthorized, immediately remove public access by updating the bucket's IAM
policy to remove allUsers and allAuthenticatedUsers principals. Audit the
bucket contents to determine what data may have been exposed. Review access logs
to identify any suspicious downloads during the exposure period. Implement
Organization Policy constraints to prevent public bucket creation.
Known False Positives
- Buckets intentionally configured for public content delivery
- Static website hosting scenarios
- Public data sharing requirements